Available Roles¶
This page describes the AWS access roles available to Synderys staff. Your roles are determined by your group membership, which is managed by IT during onboarding.
How Roles Work¶
When you sign in to the AWS SSO portal, you see a list of accounts and roles. Each role grants a specific set of permissions within a specific AWS account. You may have access to multiple roles across multiple accounts.
Roles are assigned through groups. If you belong to a group, you automatically receive all the roles associated with that group.
Roles by Group¶
aws-readonly¶
Read-only access across all accounts. You can view resources, configurations, and dashboards but cannot make any changes.
| Account | Role | Permissions |
|---|---|---|
| synderys-management | ReadOnly | View billing, organization settings |
| synderys-security | ReadOnly | View security configurations and dashboards |
| synderys-workload | ReadOnly | View DNS records, encryption keys, workloads |
aws-dns¶
Manage DNS records for synderys.com. Typically assigned alongside aws-readonly.
| Account | Role | Permissions |
|---|---|---|
| synderys-workload | DNSAdmin | Create, edit, and delete DNS records in Route 53 |
aws-auditors¶
Read-only access with additional visibility into security and audit logs.
| Account | Role | Permissions |
|---|---|---|
| synderys-management | ReadOnly | View billing, organization settings |
| synderys-security | SecurityAuditor | View CloudTrail logs, GuardDuty findings, security configurations |
aws-admins¶
Full administrative access across all accounts. Granted only to infrastructure administrators.
| Account | Role | Permissions |
|---|---|---|
| synderys-management | OrgAdmin | Full organization management, billing, IAM, SSO configuration |
| synderys-security | SecurityAdmin | Full security account access — CloudTrail, GuardDuty, S3 audit buckets |
| synderys-workload | VaultKMSAdmin | Manage KMS encryption keys used by Vault |
Understanding Your Access¶
To see which groups you belong to:
- Navigate to https://auth.synderys.com and sign in.
- Click your profile icon in the top-right corner.
- Select Settings.
- Your group memberships are displayed under your account details.
Alternatively, sign in to the AWS SSO portal at https://aws.synderys.com — the accounts and roles you see reflect your current group membership.
What to expect
Most users start with aws-readonly access. If your work requires DNS management, audit access, or administrative privileges, your manager will request the appropriate group membership from IT.
Multiple Group Membership¶
You can belong to more than one group. When you do, your access is the combined total of all your group memberships. For example, if you belong to both aws-dns and aws-readonly, you will see the synderys-workload account twice — once with the DNSAdmin role and once with ReadOnly.
Session Details¶
All roles have a 4-hour session duration. After 4 hours, you must re-authenticate through the SSO portal. This is a security requirement and cannot be extended.
Troubleshooting FAQ¶
Q: I do not see the role I need in the SSO portal. : Your account may not be in the correct group. Contact IT to request the appropriate group membership.
Q: I have the right role but still get "Access Denied" for certain actions. : Some roles are intentionally restricted. For example, DNSAdmin can only manage Route 53 records, not other AWS services. If you need broader access, contact IT.
Q: I was recently added to a new group but the new role does not appear. : Sign out of the SSO portal completely, close your browser, and sign in again. Group changes may take a few minutes to propagate.